[go: up one dir, main page]

CN102480729B - Method for preventing fake user in wireless access network and access point - Google Patents

Method for preventing fake user in wireless access network and access point Download PDF

Info

Publication number
CN102480729B
CN102480729B CN201010553071.6A CN201010553071A CN102480729B CN 102480729 B CN102480729 B CN 102480729B CN 201010553071 A CN201010553071 A CN 201010553071A CN 102480729 B CN102480729 B CN 102480729B
Authority
CN
China
Prior art keywords
terminal
access point
mac address
entry
virtual access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010553071.6A
Other languages
Chinese (zh)
Other versions
CN102480729A (en
Inventor
彭永超
郭辉
刘昕颖
唐珂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010553071.6A priority Critical patent/CN102480729B/en
Priority to PCT/CN2011/072402 priority patent/WO2012068815A1/en
Publication of CN102480729A publication Critical patent/CN102480729A/en
Application granted granted Critical
Publication of CN102480729B publication Critical patent/CN102480729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for preventing a fake user in a wireless access network and an access point. The method comprises the following steps: establishing one or more virtual access points, wherein a virtual access point has a Basic Service Set Identification (BSSID) corresponding thereto; connecting the terminal to a virtual access point according to the MAC address of the terminal, and authenticating the terminal; for the legal terminal passing the authentication, binding the IP address and/or the MAC address of the legal terminal with BSSID of a virtual access point connected with the legal terminal, and determining the binding relationship between the legal terminal and the virtual access point; and forwarding the data frame sent by the legal terminal according to the binding relationship, and discarding the data frame sent by the fake terminal. By means of the technical scheme of the invention, the aim of preventing fake users in the 802.11 wireless access network can be realized.

Description

无线接入网中防止假冒用户的方法及接入点Method and access point for preventing counterfeit users in wireless access network

技术领域 technical field

本发明涉及移动通讯领域,特别是涉及一种无线接入网中防止假冒用户的方法及接入点。The invention relates to the field of mobile communication, in particular to a method and an access point for preventing counterfeit users in a wireless access network.

背景技术 Background technique

目前,在网络运营商搭建的802.11无线接入网中,常用的一种认证方式是网络(Web)认证。这种方式要求接入点(AccessPoint,简称为AP)公告成开放系统,在用户终端上不需要输入密码就可以连接上AP,并可动态获取到IP地址。但是,此时用户终端访问网络是受限的,只能访问限定的几个地址,例如,域名系统(domainnamesystem,简称为DNS)服务器、门户网站(WebPortal)服务器等。当用户打开浏览器,访问任何页面时,会被重向到WebPortal服务器,WebPortal服务器会向用户推送一个Web登录页面,提示用户输入用户名和密码。如果用户预先在营业厅开通过相应业务,可直接输入开通业务时申请到的用户名和密码。如果没有,可以输入自己的手机号码,通过手机接收到一个临时的用户名和密码。当用户通过认证后,就可正常使用各种业务了。Currently, in an 802.11 wireless access network built by a network operator, a commonly used authentication method is web (Web) authentication. This method requires an access point (AP for short) to be advertised as an open system, and the user terminal can connect to the AP without entering a password, and can dynamically obtain an IP address. However, at this time, the user terminal is restricted from accessing the network, and can only access a few limited addresses, for example, a domain name system (domain name system, DNS for short) server, a web portal (WebPortal) server, and the like. When the user opens the browser and visits any page, it will be redirected to the WebPortal server, and the WebPortal server will push a web login page to the user, prompting the user to enter the user name and password. If the user has opened the corresponding service in the business hall in advance, he can directly input the user name and password applied for when opening the service. If not, you can enter your mobile phone number and receive a temporary username and password through your mobile phone. After the user passes the authentication, various services can be used normally.

采用web认证方式的优点是用户终端上不需要下载安装定制的客户端软件,使用浏览器就可以完成登录过程。缺点是,用户终端与AP间交互的空中报文通常是不加密的,存在安全隐患,其中比较严重的一种就是假冒用户。假冒用户使用空中抓包工具,抓取其他用户终端与AP交互的空中报文,得到已通过认证的合法终端的MAC地址、IP地址等信息。然后将自己的无线网卡的MAC地址、IP地址修改成合法终端的。这样,假冒终端发出的报文实际与合法终端发送出去的没有什么区别了,AP上区分不出来,假冒终端就可以不经过认证,就使用合法终端才能使用的业务了。假冒用户产生的费用会被算到合法用户的账户中,损害合法用户的利益,也会损害运营商的利益。The advantage of adopting the web authentication method is that there is no need to download and install customized client software on the user terminal, and the login process can be completed by using a browser. The disadvantage is that the over-the-air messages exchanged between the user terminal and the AP are usually not encrypted, and there are potential security risks. One of the more serious ones is spoofing users. Fake users use the air packet capture tool to capture air packets exchanged between other user terminals and APs, and obtain information such as MAC addresses and IP addresses of authenticated legitimate terminals. Then change the MAC address and IP address of your wireless network card to those of a legal terminal. In this way, the packets sent by the counterfeit terminal are actually the same as those sent by the legitimate terminal, and the AP cannot distinguish them. The counterfeit terminal can use services that can only be used by legitimate terminals without being authenticated. The fees generated by counterfeit users will be calculated into the accounts of legitimate users, which will damage the interests of legitimate users and operators.

在相关技术中,无线接入网中其它常用的认证方式还有预共享密钥和802.1x认证。采用这两种认证方式的无线接入网,大多数会对空中传送的报文进行加密,如果不加密,也会存在假冒用户的问题。In related technologies, other commonly used authentication methods in wireless access networks include pre-shared key and 802.1x authentication. Most wireless access networks using these two authentication methods will encrypt the messages transmitted over the air. If they are not encrypted, there will also be problems of impersonating users.

目前,在有线接入网络中,防止假冒用户通常是采用网络协议(InternetProtocol,简称为IP)地址+介质访问控制(Medium/MediaAccessControl,简称为MAC)地址绑定物理端口的方法。即用户通过认证后,交换机将终端的IP地址+MAC地址(或者仅IP或MAC地址)与其连接的物理端口绑定在一起,如果从其它物理端口进来具有相同IP地址或MAC地址的报文,都会被认为是非法的,会被丢弃。但是,实现上述方法有一个前提条件:合法终端与假冒终端是连接在不同的物理端口。即使报文的源MAC和IP地址相同,也可以通过进来的物理端口,判断出是哪个终端发出的报文。At present, in a wired access network, preventing counterfeit users usually adopts a method of binding a physical port with an Internet Protocol (Internet Protocol, referred to as IP) address + a Media Access Control (Medium/Media Access Control, referred to as MAC) address. That is, after the user passes the authentication, the switch binds the terminal's IP address + MAC address (or only the IP or MAC address) to the physical port it is connected to. If a message with the same IP address or MAC address comes in from other physical ports, will be considered illegal and will be discarded. However, there is a prerequisite for realizing the above method: the legal terminal and the counterfeit terminal are connected to different physical ports. Even if the source MAC address and IP address of the message are the same, it can be determined which terminal sent the message through the incoming physical port.

而在无线接入网中,AP与有线接入网络中的交换机是有区别的。AP工作的无线信道可以看作是一个物理端口,一般一个AP任意时刻只能工作在1个或2个无线信道上(有的AP支持802.11a/b/g,可同时工作在2.4G和5G的信道),所以AP只有1个或2个物理端口。合法终端和假冒终端都是通过同一个物理端口连接到AP的,所以IP+MAC绑定物理端口的方法,在无线接入网络中并不适用。因此,目前急需一种能够适用于无线接入网的防止假冒用户的方法。In the wireless access network, there is a difference between the AP and the switch in the wired access network. The wireless channel where the AP works can be regarded as a physical port. Generally, an AP can only work on one or two wireless channels at any time (some APs support 802.11a/b/g, and can work on 2.4G and 5G at the same time. channel), so the AP only has 1 or 2 physical ports. Both the legitimate terminal and the counterfeit terminal are connected to the AP through the same physical port, so the method of IP+MAC binding to the physical port is not applicable in the wireless access network. Therefore, there is an urgent need for a method for preventing counterfeit users that can be applied to wireless access networks.

发明内容 Contents of the invention

本发明提供一种无线接入网中防止假冒用户的方法及接入点,以解决现有技术在无线接入网中在空中传送的报文不加密的情况下无法防止假冒用户的问题。The invention provides a method and an access point for preventing counterfeit users in a wireless access network to solve the problem in the prior art that counterfeit users cannot be prevented under the condition that the messages transmitted in the air in the wireless access network are not encrypted.

本发明提供一种无线接入网中防止假冒用户的方法,包括:The invention provides a method for preventing counterfeit users in a wireless access network, including:

建立一个或多个虚拟接入点,其中,虚拟接入点具有与其相对应的基本服务集标识BSSID;Establish one or more virtual access points, wherein the virtual access points have a corresponding basic service set identifier BSSID;

根据终端的MAC地址将终端连接到一个虚拟接入点,并对终端进行认证;Connect the terminal to a virtual access point according to the terminal's MAC address, and authenticate the terminal;

对于通过认证的合法终端,将合法终端的IP地址和/或MAC地址与合法终端连接的虚拟接入点的BSSID进行绑定,确定合法终端与虚拟接入点的绑定关系;For a legal terminal that has passed the authentication, bind the IP address and/or MAC address of the legal terminal with the BSSID of the virtual access point connected to the legal terminal, and determine the binding relationship between the legal terminal and the virtual access point;

根据绑定关系转发合法终端发送的数据帧,丢弃假冒终端发送的数据帧。According to the binding relationship, the data frames sent by the legal terminal are forwarded, and the data frames sent by the fake terminal are discarded.

本发明还提供了一种接入点,包括:The present invention also provides an access point, including:

第一建立模块,用于建立一个或多个虚拟接入点,其中,虚拟接入点具有与其相对应的基本服务集标识BSSID;A first establishing module, configured to establish one or more virtual access points, wherein the virtual access points have a corresponding basic service set identifier BSSID;

连接模块,用于根据终端的MAC地址将终端连接到一个虚拟接入点;A connection module, configured to connect the terminal to a virtual access point according to the MAC address of the terminal;

认证模块,用于对终端进行认证;An authentication module, configured to authenticate the terminal;

第二建立模块,用于对于通过认证的合法终端,将合法终端的IP地址和/或MAC地址与合法终端连接的虚拟接入点的BSSID进行绑定,确定合法终端与虚拟接入点的绑定关系;The second establishment module is used to bind the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal for the legal terminal that has passed the authentication, and determine the binding between the legal terminal and the virtual access point determine the relationship;

处理模块,用于根据绑定关系转发合法终端发送的数据帧,丢弃假冒终端发送的数据帧。The processing module is configured to forward the data frames sent by the legitimate terminal according to the binding relationship, and discard the data frames sent by the counterfeit terminal.

本发明有益效果如下:The beneficial effects of the present invention are as follows:

通过建立VAP,将合法终端的IP+MAC绑定VAP,解决了现有技术在无线接入网中在空中传送的报文不加密的情况下无法防止假冒用户的问题,能够实现在802.11无线接入网中防止假冒用户的目的,保护了合法用户和运营商的利益。By establishing a VAP and binding the IP+MAC of the legal terminal to the VAP, it solves the problem that the existing technology cannot prevent counterfeit users when the packets transmitted in the air in the wireless access network are not encrypted. The purpose of preventing counterfeit users during network access protects the interests of legitimate users and operators.

附图说明 Description of drawings

图1是本发明实施例的无线接入网中防止假冒用户的方法的流程图;FIG. 1 is a flowchart of a method for preventing counterfeit users in a wireless access network according to an embodiment of the present invention;

图2是本发明实施例的AP防止假冒用户处理的示意图;Fig. 2 is the schematic diagram that the AP of the embodiment of the present invention prevents counterfeit user processing;

图3是本发明实施例的调用钩子函数的信令流程图;Fig. 3 is the signaling flowchart of calling the hook function according to the embodiment of the present invention;

图4是本发明实施例的调用连接建立钩子函数的流程图;Fig. 4 is the flowchart of calling connection establishment hook function according to the embodiment of the present invention;

图5是本发明实施例的调用连接断开钩子函数的流程图;Fig. 5 is a flow chart of calling a connection disconnection hook function according to an embodiment of the present invention;

图6是本发明实施例的调用认证结束钩子函数的流程图;Fig. 6 is the flowchart of calling the authentication end hook function according to the embodiment of the present invention;

图7是本发明实施例的调用转发钩子函数的流程图;Fig. 7 is the flowchart of calling forwarding hook function according to the embodiment of the present invention;

图8是本发明实施例的接入点的结构示意图。Fig. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention.

具体实施方式 Detailed ways

如上所述,有线接入网中常采用IP+MAC绑定物理端口的方法防止假冒用户,但此方法在无线接入网中并不适用。为了解决现有技术在无线接入网中在空中传送的报文不加密的情况下无法防止假冒用户的问题,本发明提供了一种无线接入网中防止假冒用户的方法及接入点,针对802.11无线接入网的特点,提出了IP+MAC绑定VAP的方法,实现了在802.11无线接入网中防止假冒用户的目的。以下结合附图以及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不限定本发明。As mentioned above, the method of IP+MAC binding physical port is often used in the wired access network to prevent counterfeit users, but this method is not applicable in the wireless access network. In order to solve the problem that the existing technology cannot prevent counterfeit users in the case of unencrypted messages transmitted over the air in the wireless access network, the present invention provides a method and an access point for preventing counterfeit users in the wireless access network, Aiming at the characteristics of 802.11 wireless access network, a method of IP+MAC binding VAP is proposed, which realizes the purpose of preventing fake users in 802.11 wireless access network. The present invention will be described in further detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

方法实施例method embodiment

根据本发明的实施例,提供了一种无线接入网中防止假冒用户的方法,图1是本发明实施例的无线接入网中防止假冒用户的方法的流程图,如图1所示,根据本发明实施例的无线接入网中防止假冒用户的方法包括如下处理:According to an embodiment of the present invention, a method for preventing counterfeit users in a wireless access network is provided. FIG. 1 is a flowchart of a method for preventing counterfeit users in a wireless access network according to an embodiment of the present invention. As shown in FIG. 1 , The method for preventing counterfeit users in the wireless access network according to the embodiment of the present invention includes the following processing:

步骤101,建立一个或多个虚拟接入点,其中,虚拟接入点具有与其相对应的基本服务集标识(BasicServiceSetIdentifier,简称为BSSID);Step 101, establishing one or more virtual access points, wherein each virtual access point has a corresponding basic service set identifier (BasicServiceSetIdentifier, referred to as BSSID);

也就是说,AP上建立多个VAP,多个VAP工作在相同的信道,具有相同的服务集标识(ServiceSetIdentifier,简称为SSID),但是有不同的BSSID。这些VAP都会向外发送beacon帧,携带有不同的BSSID,在终端接收到beacon帧后,可以根据携带的BSSID确定是不同的VAP发出的,可以让终端认为beacon帧是由多个AP发出的。That is to say, multiple VAPs are established on the AP, and the multiple VAPs work on the same channel, have the same service set identifier (ServiceSetIdentifier, SSID for short), but have different BSSIDs. These VAPs will send out beacon frames with different BSSIDs. After the terminal receives the beacon frame, it can determine that it is sent by a different VAP according to the BSSID carried, so that the terminal can think that the beacon frame is sent by multiple APs.

步骤102,根据终端的MAC地址将终端连接到一个虚拟接入点,并对终端进行认证;Step 102, connect the terminal to a virtual access point according to the MAC address of the terminal, and authenticate the terminal;

在步骤102中,将终端连接到一个虚拟接入点需要进行如下处理:1、在终端需要连接到虚拟接入点时,根据终端的MAC地址判断是否已有与此终端的MAC地址相同的终端连接到该虚拟接入点;2、在判断没有与此终端的MAC地址相同的终端连接到该虚拟接入点的情况下,允许此终端连接到该虚拟接入点;3、在判断该虚拟接入点已存在与此终端的MAC地址相同的终端的情况下,拒绝将此终端连接到该虚拟接入点,迫使此终端连接到其它虚拟接入点上(即,其他没有与该终端的MAC地址相同的终端连接的虚拟接入点)。In step 102, the following processes are required to connect the terminal to a virtual access point: 1. When the terminal needs to be connected to the virtual access point, judge whether there is a terminal with the same MAC address as the terminal according to the MAC address of the terminal Connect to the virtual access point; 2. When it is judged that no terminal with the same MAC address as the terminal is connected to the virtual access point, allow the terminal to connect to the virtual access point; 3. After judging that the virtual If the access point already has a terminal with the same MAC address as this terminal, it refuses to connect this terminal to this virtual access point, forcing this terminal to connect to other virtual access points (that is, other A virtual access point connected to a terminal with the same MAC address).

在无线网络中,连接很容易断开,先连接上的终端不一定就是合法终端。因此,当终端要连接到某个VAP时,AP需要检查是否已有相同MAC地址的终端连接到此VAP,如果有,则拒绝此终端连接到此VAP,然后此终端会自动尝试连接其它具有相同SSID的VAP,从而迫使假冒终端与合法终端连接到不同的VAP上。In a wireless network, the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when a terminal wants to connect to a VAP, the AP needs to check whether there is already a terminal with the same MAC address connected to this VAP. The VAP of the SSID, thereby forcing the counterfeit terminal and the legitimate terminal to connect to different VAPs.

步骤103,对于通过认证的合法终端,将合法终端的IP地址和/或MAC地址与合法终端连接的虚拟接入点的BSSID进行绑定,确定合法终端与虚拟接入点的绑定关系;Step 103, for the legal terminal that has passed the authentication, bind the IP address and/or MAC address of the legal terminal with the BSSID of the virtual access point connected to the legal terminal, and determine the binding relationship between the legal terminal and the virtual access point;

需要说明的是,终端发出的802.11数据帧头标中,携带有BSSID。由于合法终端与假冒终端是连接到不同的VAP,所以它们发出的帧中包含的BSSID不同,AP可以根据BSSID区分出是哪个终端发出的帧。It should be noted that the header of the 802.11 data frame sent by the terminal carries the BSSID. Since the legal terminal and the counterfeit terminal are connected to different VAPs, the BSSIDs contained in the frames sent by them are different, and the AP can distinguish which terminal sent the frame according to the BSSID.

优选地,在实际应用中,还可以建立一张终端授权状态表,其中,终端授权状态表中包括:IP地址、MAC地址、BSSID、以及授权状态,授权状态包括:受限、已授权、以及禁止。Preferably, in practical applications, a terminal authorization status table can also be established, wherein the terminal authorization status table includes: IP address, MAC address, BSSID, and authorization status, and the authorization status includes: restricted, authorized, and prohibit.

在步骤103中,对于通过认证的合法终端,将合法终端的IP地址和/或MAC地址与合法终端连接的虚拟接入点的BSSID进行绑定包括如下处理:1、根据终端授权状态表,判断是否有与合法终端的MAC地址和BSSID都匹配的条目,如果有,则将该条目的授权状态修改为已授权,并保存相应的IP地址;2、根据终端授权状态表,判断是否有与合法终端的MAC地址匹配,但与合法终端的BSSID不匹配的条目,如果有,则将该条目的授权状态修改为禁止。In step 103, for the legal terminal that has passed the authentication, binding the IP address and/or MAC address of the legal terminal with the BSSID of the virtual access point connected to the legal terminal includes the following processing: 1. According to the terminal authorization status table, determine Whether there is an entry matching the MAC address and BSSID of the legal terminal, if so, modify the authorization status of the entry to authorized, and save the corresponding IP address; 2. According to the terminal authorization status table, determine whether there is a legal If there is an entry whose MAC address of the terminal matches but does not match the BSSID of the legal terminal, modify the authorization status of the entry to forbidden.

步骤104,根据绑定关系转发合法终端发送的数据帧,丢弃假冒终端发送的数据帧。Step 104: forward the data frame sent by the legal terminal according to the binding relationship, and discard the data frame sent by the counterfeit terminal.

在步骤104中,根据绑定关系转发合法终端发送的数据帧,丢弃假冒终端发送的数据帧包括如下处理:1、根据终端授权状态表,判断是否有与合法终端的MAC地址与BSSID都匹配的条目,如果有,则判断合法终端的报文中的源IP地址与该条目中的IP地址是否匹配;2、如果IP地址匹配,则判断该条目中的授权状态;3、在判断授权状态为已授权时,则转发报文,在判断授权状态为禁止时,则丢弃报文,在判断授权状态为限制时,进一步判断报文中的目的IP是否在允许的地址范围内,如果在允许的地址范围内,则转发报文,如果不在允许的地址范围内,则丢弃报文。In step 104, forwarding the data frame sent by the legal terminal according to the binding relationship, and discarding the data frame sent by the fake terminal includes the following processing: 1. According to the terminal authorization status table, judge whether there is a MAC address and BSSID that match the legal terminal entry, if there is, then judge whether the source IP address in the message of the legal terminal matches the IP address in the entry; 2, if the IP address matches, then judge the authorization status in the entry; 3, judge whether the authorization status is If it is authorized, forward the message; when it is judged that the authorization state is prohibited, it discards the message; when it is judged that the authorization state is restricted, further judge whether the destination IP in the message is within the allowed address range; If the address is within the allowed address range, the packet will be forwarded; if it is not within the allowed address range, the packet will be discarded.

也就是说,当合法终端通过Web认证后,AP将其IP/MAC地址与其连接的VAP绑定在一起。这样,合法终端发出的帧中包含的BSSID与绑定的VAP的BSSID相同,被允许通过;而假冒终端发送的帧,由于其包含的BSSID与绑定的VAP的BSSID不一致,会被AP丢弃,从而起到了防止假冒终端的作用。That is to say, after a legal terminal passes web authentication, the AP binds its IP/MAC address with the VAP it is connected to. In this way, the BSSID contained in the frame sent by the legitimate terminal is the same as the BSSID of the bound VAP, and is allowed to pass through; while the frame sent by the fake terminal, because the BSSID contained in it is inconsistent with the BSSID of the bound VAP, will be discarded by the AP. Thereby played a role in preventing counterfeit terminal.

此外,在终端断开连接时,还包括如下处理:1、根据终端授权状态表,检查是否有与终端匹配的MAC地址和BSSID的条目存在,如果存在条目,则检查条目的授权状态是否为已授权;2、如果条目的授权状态为已授权,则延迟断开连接,并设置一个预定时间,如果条目的授权状态不是已授权,则立即断开连接;3、在预定时间到时后,检查终端是否仍然在线,如果在线,则保持连接,否则,断开连接。In addition, when the terminal is disconnected, the following processing is also included: 1. According to the terminal authorization state table, check whether there is an entry with the MAC address and BSSID matching the terminal, and if there is an entry, check whether the authorization state of the entry is already Authorization; 2. If the authorization status of the entry is authorized, delay disconnection and set a predetermined time, if the authorization status of the entry is not authorized, disconnect immediately; 3. After the predetermined time expires, check Whether the terminal is still online, if online, keep the connection, otherwise, disconnect.

以下结合附图,对本发明实施例的上述技术方案进行详细的说明。The technical solutions of the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

图2是本发明实施例的AP防止假冒用户处理的示意图,如图2所示,AP的无线接入模块用于实现与无线终端建立连接、断开连接,以及检测终端是否仍然保持连接等功能;AP的报文转发模块用于实现将从无线网络接收到的报文转发到有线网络,或者反过来,将从有线网络接收到的报文转发到无线网络。AP的WebPortal认证模块用于实现Webportal认证流程。Fig. 2 is a schematic diagram of the AP's process of preventing counterfeit users according to the embodiment of the present invention. As shown in Fig. 2, the wireless access module of the AP is used to implement functions such as establishing and disconnecting with the wireless terminal, and detecting whether the terminal is still connected ; The message forwarding module of the AP is used to forward the message received from the wireless network to the wired network, or conversely, to forward the message received from the wired network to the wireless network. The WebPortal authentication module of the AP is used to implement the Webportal authentication process.

AP的防假冒模块用于实现区分、判断、阻止假冒终端的功能。是根据本发明实施例的技术方案,在AP中新增的模块,防假冒模块主要用于:1、收到建立连接的请求时,检查是否已有相同MAC的终端连接到同一VAP,如果有,则拒绝连接;2、收到断开连接的请求时,检查终端是否在线,以防此请求是来自于假冒终端;3、Webportal认证通过后,建立IP地址、MAC地址与VAP的绑定关系。4、在转发报文时,根据IP+MAC与VAP的绑定关系,判断是否允许转发。The anti-counterfeiting module of the AP is used to realize the functions of distinguishing, judging, and blocking counterfeit terminals. According to the technical solution of the embodiment of the present invention, the newly added module in the AP, the anti-counterfeiting module is mainly used for: 1. When receiving the request for establishing a connection, check whether a terminal with the same MAC has been connected to the same VAP, if there is , then reject the connection; 2. When receiving a request to disconnect, check whether the terminal is online, in case the request comes from a fake terminal; 3. After the Webportal authentication is passed, establish the binding relationship between the IP address, MAC address and VAP . 4. When forwarding packets, judge whether to allow forwarding according to the binding relationship between IP+MAC and VAP.

此外,防假冒模块还维护了一张终端授权状态表,表中条目格式为:<IP地址、MAC地址,BSSID,授权状态>。其中,授权状态的值有三种:受限、已授权和禁止。受限,是指只允许终端访问DHCP服务器、DNS服务器、Webportal服务器等;已授权,是指允许终端正常访问外部网络;禁止,是指禁止转发此终端的报文。In addition, the anti-counterfeiting module also maintains a terminal authorization state table, the entry format of which is: <IP address, MAC address, BSSID, authorization state>. Among them, there are three values of authorization state: restricted, authorized and prohibited. Restricted means that the terminal is only allowed to access the DHCP server, DNS server, Webportal server, etc.; Authorized means that the terminal is allowed to access the external network normally; Prohibited means that the packets of this terminal are prohibited from being forwarded.

需要说明的是,在实际应用中,防假冒模块的上述功能表现成一系列钩子函数,包括:认证结束钩子函数、WLAN-EAH转发钩子函数、ETH-WLAN转发钩子函数、连接建立钩子函数、以及连接断开钩子函数。上述钩子函数被其它各模块在适当时候调用。图3是本发明实施例的调用钩子函数的信令流程图,如图3所示,包括如下处理:It should be noted that in practical applications, the above functions of the anti-counterfeiting module are represented as a series of hook functions, including: authentication end hook function, WLAN-EAH forwarding hook function, ETH-WLAN forwarding hook function, connection establishment hook function, and connection Disconnect the hook function. The above-mentioned hook function is called by other modules when appropriate. Fig. 3 is the signaling flowchart of calling the hook function according to the embodiment of the present invention, as shown in Fig. 3, including the following processing:

步骤1,终端与AP进行交互,AP调用连接建立钩子函数,实现802.11连接过程;Step 1, the terminal interacts with the AP, and the AP calls the connection establishment hook function to realize the 802.11 connection process;

步骤2,终端与DHCP服务器进行交互,动态获取IP地址。从此时开始,在转发终端发出的和发往终端的报文时,AP分别会调用WLAN-EAH转发钩子函数和ETH-WLAN转发钩子函数;In step 2, the terminal interacts with the DHCP server to dynamically obtain an IP address. From now on, when forwarding the message sent by the terminal and sent to the terminal, the AP will call the WLAN-EAH forwarding hook function and the ETH-WLAN forwarding hook function respectively;

步骤3,终端与Webportal服务器交互,进行Webportal认证后,AP调用认证结束钩子函数;Step 3, the terminal interacts with the Webportal server, and after the Webportal authentication is performed, the AP calls the authentication end hook function;

步骤4,认证成功后,终端访问外部网络;Step 4, after successful authentication, the terminal accesses the external network;

步骤5,终端与AP进行交互,AP调用连接断开钩子函数,实现802.11断开连接过程。Step 5, the terminal interacts with the AP, and the AP invokes the connection disconnection hook function to realize the 802.11 disconnection process.

根据802.11协议,建立无线连接的过程包括探测、认证、关联三个步骤。在收到认证帧时,无线接入模块会调用防假冒模块的连接建立钩子函数,传递的参数是终端的MAC地址,以及其连接的VAP的BSSID,图4是本发明实施例的调用连接建立钩子函数的流程图,如图4所示,包括如下处理:According to the 802.11 protocol, the process of establishing a wireless connection includes three steps: detection, authentication, and association. When receiving the authentication frame, the wireless access module will call the connection establishment hook function of the anti-counterfeit module, and the parameters passed are the MAC address of the terminal and the BSSID of the VAP connected to it. Fig. 4 is the call connection establishment of the embodiment of the present invention The flowchart of the hook function, as shown in Figure 4, includes the following processing:

步骤401,搜索终端授权状态表,检查是否有MAC地址、BSSID都匹配的条目存在;Step 401, searching the terminal authorization state table to check whether there is an entry matching both the MAC address and the BSSID;

步骤402,如果有,则向终端发送一个状态码为37的Authentication帧,拒绝其认证请求;Step 402, if there is, then send an Authentication frame whose status code is 37 to the terminal, rejecting its authentication request;

步骤403,如果没有,则在终端授权状态表中添加一个条目,将初始的授权状态设置为受限,因为终端这时还没获得IP地址,将初始的IP地址设置为0。Step 403, if not, add an entry in the terminal authorization state table, and set the initial authorization state as restricted, because the terminal has not obtained an IP address at this time, and set the initial IP address as 0.

如图3所示,在终端断开连接时,会发送Disassociation或者Deauthentication。这时,无线接入模块会调用防假冒模块的连接断开钩子函数,传递的参数是终端的MAC地址,以及其连接的VAP的BSSID。图5是本发明实施例的调用连接断开钩子函数的流程图,如图5所示,包括如下处理:As shown in Figure 3, when the terminal is disconnected, Disassociation or Deauthentication will be sent. At this time, the wireless access module will call the connection disconnection hook function of the anti-counterfeit module, and the parameters passed are the MAC address of the terminal and the BSSID of the VAP it is connected to. Fig. 5 is the flow chart of calling connection disconnection hook function of the embodiment of the present invention, as shown in Fig. 5, comprises following processing:

步骤501,搜索终端授权状态表,检查是否有MAC地址、BSSID匹配的条目存在。Step 501: Search the terminal authorization status table to check whether there is an entry matching the MAC address and the BSSID.

步骤502,如果有匹配条目,检查其授权状态是否为已授权。Step 502, if there is a matching entry, check whether its authorization status is authorized.

步骤503,如果匹配条目的授权状态是已授权,则延迟断开连接,启动一个定时器;否则,立即断开连接。Step 503, if the authorization state of the matching entry is authorized, delay disconnection and start a timer; otherwise, disconnect immediately.

步骤504,定时器到期后,检查终端是否仍然在线,如果是,则仍然保持连接状态,否则,断开连接。Step 504, after the timer expires, check whether the terminal is still online, if yes, keep the connection, otherwise, disconnect.

需要说明的是,有时假冒终端在收到拒绝认证请求的Authentication帧后,会发送Deauthentication帧。如果AP收到后,当作是正常终端发出的Deauthentication帧处理,立即断开连接,就会影响到正常终端。因此需要要延迟断开连接,检查终端是否真的断开连接。It should be noted that sometimes the counterfeit terminal will send a Deauthentication frame after receiving an Authentication frame rejecting the authentication request. If the AP receives it, treats it as a Deauthentication frame sent by a normal terminal, and disconnects immediately, it will affect the normal terminal. Therefore, it is necessary to delay the disconnection and check whether the terminal is really disconnected.

当Webportal认证结束时,如果认证通过,则调用认证结束钩子函数,传递的参数是终端的IP地址、MAC地址、BSSID等,图6是本发明实施例的调用认证结束钩子函数的流程图,如图6所示,包括如下处理:When the Webportal authentication ended, if the authentication passed, then call the authentication end hook function, the parameters passed are the IP address, MAC address, BSSID etc. of the terminal, Fig. 6 is the flow chart of calling the authentication end hook function of the embodiment of the present invention, as As shown in Figure 6, including the following processing:

步骤601,如果认证没有通过,直接返回;Step 601, if the authentication fails, return directly;

步骤602,搜索终端授权状态表,检查是否有MAC地址、BSSID都匹配的条目;Step 602, searching the terminal authorization status table to check whether there is an entry matching both the MAC address and the BSSID;

步骤603,如果有匹配的条目,则将条目的授权状态改为已授权,并保存IP地址;Step 603, if there is a matching entry, change the authorization status of the entry to authorized, and save the IP address;

步骤604,搜索终端授权状态表,检查是否有MAC地址匹配,但BSSID不匹配的条目;Step 604, searching the terminal authorization status table to check whether there is an entry whose MAC address matches but BSSID does not match;

步骤605,如果有这样的条目,则认为是假冒终端,将该条目的授权状态改为禁止。Step 605, if there is such an entry, it is considered as a counterfeit terminal, and the authorization status of the entry is changed to forbidden.

终端连接上后,在转发报文时,防假冒模块的转发钩子函数会被调用到,传递的参数是报文的IP地址、MAC地址以及收发报文使用的VAP,图7是本发明实施例的调用转发钩子函数的流程图,如图7所示,包括如下处理:After the terminal is connected, when the message is forwarded, the forwarding hook function of the anti-counterfeit module will be called, and the parameters passed are the IP address, MAC address of the message and the VAP used to send and receive the message. Figure 7 is an embodiment of the present invention The flow chart of calling the forwarding hook function, as shown in Figure 7, includes the following processing:

步骤701,搜索终端授权状态表,检查是否有MAC地址、BSSID都匹配的条目;Step 701, searching the terminal authorization state table to check whether there is an entry matching both the MAC address and the BSSID;

步骤702,如果有,再将报文中的源IP地址与条目中的IP地址比较。如果IP地址相等,或者条目中的IP地址是全0,都认为是匹配的;Step 702, if yes, compare the source IP address in the message with the IP address in the entry. If the IP addresses are equal, or the IP addresses in the entries are all 0, they are considered to match;

步骤703,如果IP地址也是匹配的,再检查授权状态。如果是已授权,则允许转发;如果是禁止,则丢弃报文;Step 703, if the IP address also matches, then check the authorization status. If it is authorized, forwarding is allowed; if it is prohibited, the message is discarded;

步骤704,如果状态是受限,还要检查目的IP是否在允许的地址范围内。如果不在,则丢弃报文。否则允许转发。Step 704, if the status is restricted, it is also checked whether the destination IP is within the allowed address range. If not, discard the packet. Otherwise forwarding is allowed.

由于BSSID是802.11帧中才包含的,而以太帧中没有。为了能在有线侧也能区分是从哪个终端的报文,可以在转发报文时,采取将不同的BSSID映射成不同的VID,或者MAC地址转换、IP地址转换等方法。Because the BSSID is included in the 802.11 frame, but not in the Ethernet frame. In order to be able to distinguish which terminal the message is from on the wired side, methods such as mapping different BSSIDs to different VIDs, or converting MAC addresses and IP addresses can be adopted when forwarding messages.

需要说明的是,本发明实施例的技术方案可以只建立一个VAP,而防假冒模块中只保留连接建立和连接断开钩子函数。这种简化方案的缺点是,它认为先连接上的就是合法终端,后连接的就是假冒终端,而实际上可能出现相反的情况,如果出现了,就会错误地拒绝合法终端的连接,所以不推荐采用上述技术方案。It should be noted that, in the technical solution of the embodiment of the present invention, only one VAP can be established, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module. The shortcoming of this simplified scheme is that it thinks that the terminal connected first is a legal terminal, and the terminal connected later is a fake terminal, but in fact the opposite situation may occur. It is recommended to adopt the above technical solutions.

装置实施例Device embodiment

根据本发明的实施例,提供了一种接入点,图8是本发明实施例的接入点的结构示意图,如图8所示,根据本发明实施例的接入点包括:第一建立模块80、连接模块81、认证模块82、第二建立模块83、处理模块84,需要说明的是,本发明实施例中的连接模块81相当于图2中的无线接入模块,认证模块82相当于图2中的WebPortal认证模块,处理模块84中的一些功能相当于图2中的报文转发模块,第一建立模块80、第二建立模块83、以及处理模块84中的另一些功能相当于图2中的防假冒模块。以下对本发明实施例的各个模块进行详细的说明。According to an embodiment of the present invention, an access point is provided. FIG. 8 is a schematic structural diagram of an access point according to an embodiment of the present invention. As shown in FIG. 8 , the access point according to an embodiment of the present invention includes: a first establishment module 80, a connection module 81, an authentication module 82, a second establishment module 83, and a processing module 84. It should be noted that the connection module 81 in the embodiment of the present invention is equivalent to the wireless access module in FIG. 2, and the authentication module 82 is equivalent to In the WebPortal authentication module in Fig. 2, some functions in the processing module 84 are equivalent to the message forwarding module in Fig. 2, and other functions in the first building module 80, the second building module 83, and the processing module 84 are equivalent to The anti-counterfeiting module in Figure 2. Each module of the embodiment of the present invention will be described in detail below.

第一建立模块80用于建立一个或多个虚拟接入点,其中,所述虚拟接入点具有与其相对应的基本服务集标识BSSID;The first establishing module 80 is configured to establish one or more virtual access points, wherein the virtual access points have a corresponding basic service set identifier BSSID;

也就是说,第一建立模块80在AP上建立多个VAP,多个VAP工作在相同的信道,具有相同的服务集标识(ServiceSetIdentifier,简称为SSID),但是有不同的BSSID。这些VAP都会向外发送beacon帧,携带有不同的BSSID,在终端接收到beacon帧后,可以根据携带的BSSID确定是不同的VAP发出的,可以让终端认为beacon帧是由多个AP发出的。That is to say, the first establishment module 80 establishes multiple VAPs on the AP, and the multiple VAPs work on the same channel, have the same service set identifier (ServiceSetIdentifier, SSID for short), but have different BSSIDs. These VAPs will send out beacon frames with different BSSIDs. After the terminal receives the beacon frame, it can determine that it is sent by a different VAP according to the BSSID carried, so that the terminal can think that the beacon frame is sent by multiple APs.

连接模块81用于根据终端的MAC地址将所述终端连接到一个虚拟接入点;The connection module 81 is used to connect the terminal to a virtual access point according to the MAC address of the terminal;

具体地,连接模块81包括:Specifically, the connection module 81 includes:

第一判断子模块,用于在所述终端需要连接到虚拟接入点时,根据所述终端的MAC地址判断是否有与所述终端的MAC地址相同的终端连接到该虚拟接入点;接入子模块,用于在所述第一判断子模块判断没有与所述终端的MAC地址相同的终端连接到该虚拟接入点的情况下,将所述终端连接到该虚拟接入点在所述第一判断子模块判断该虚拟接入点存在与所述终端的MAC地址相同的终端的情况下,拒绝将所述终端连接到该虚拟接入点,并将所述终端连接到其他没有与所述终端MAC地址相同的终端的虚拟接入点上。The first judging submodule is used to judge whether a terminal with the same MAC address as the terminal is connected to the virtual access point according to the MAC address of the terminal when the terminal needs to be connected to the virtual access point; The input submodule is used to connect the terminal to the virtual access point when the first judging submodule judges that no terminal with the same MAC address as the terminal is connected to the virtual access point. When the first judging submodule judges that the virtual access point has a terminal with the same MAC address as the terminal, it refuses to connect the terminal to the virtual access point, and connects the terminal to other On the virtual access point of the terminal with the same MAC address of the terminal.

在无线网络中,连接很容易断开,先连接上的终端不一定就是合法终端。因此,当终端要连接到某个VAP时,AP需要检查是否已有相同MAC地址的终端连接到此VAP,如果有,则拒绝此终端连接到此VAP,然后此终端会自动尝试连接其它具有相同SSID的VAP,从而迫使假冒终端与合法终端连接到不同的VAP上。In a wireless network, the connection is easily disconnected, and the terminal connected first is not necessarily the legal terminal. Therefore, when a terminal wants to connect to a VAP, the AP needs to check whether there is already a terminal with the same MAC address connected to this VAP. The VAP of the SSID, thereby forcing the counterfeit terminal and the legitimate terminal to connect to different VAPs.

认证模块82用于对所述终端进行认证;The authentication module 82 is used to authenticate the terminal;

第二建立模块83用于对于通过认证的合法终端,将所述合法终端的IP地址和/或MAC地址与所述合法终端连接的虚拟接入点的BSSID进行绑定,确定所述合法终端与所述虚拟接入点的绑定关系;The second establishment module 83 is used to bind the IP address and/or MAC address of the legal terminal to the BSSID of the virtual access point connected to the legal terminal for the legal terminal that has passed the authentication, and determine the connection between the legal terminal and the The binding relationship of the virtual access point;

需要说明的是,终端发出的802.11数据帧头标中,携带有BSSID。由于合法终端与假冒终端是连接到不同的VAP,所以它们发出的帧中包含的BSSID不同,AP可以根据BSSID区分出是哪个终端发出的帧。It should be noted that the header of the 802.11 data frame sent by the terminal carries the BSSID. Since the legal terminal and the counterfeit terminal are connected to different VAPs, the BSSIDs contained in the frames sent by them are different, and the AP can distinguish which terminal sent the frame according to the BSSID.

优选地,在实际应用中,根据本发明实施例的接入点还包括:Preferably, in practical applications, the access point according to the embodiment of the present invention further includes:

状态表建立模块,用于建立一张终端授权状态表,其中,所述终端授权状态表中包括:IP地址、MAC地址、BSSID、以及授权状态,所述授权状态包括:受限、已授权、以及禁止;A state table establishment module, configured to establish a terminal authorization state table, wherein the terminal authorization state table includes: IP address, MAC address, BSSID, and authorization state, and the authorization state includes: restricted, authorized, and prohibition;

具体地,终端授权状态表中条目格式为:<IP地址、MAC地址,BSSID,授权状态>。其中,授权状态的值有三种:受限、已授权和禁止。受限,是指只允许终端访问DHCP服务器、DNS服务器、Webportal服务器等;已授权,是指允许终端正常访问外部网络;禁止,是指禁止转发此终端的报文。Specifically, the entry format in the terminal authorization status table is: <IP address, MAC address, BSSID, authorization status>. Among them, there are three values of authorization state: restricted, authorized and prohibited. Restricted means that the terminal is only allowed to access the DHCP server, DNS server, Webportal server, etc.; Authorized means that the terminal is allowed to access the external network normally; Prohibited means that the packets of this terminal are prohibited from being forwarded.

第二建立模块83具体用于:根据所述所述终端授权状态表,判断是否有与所述合法终端的MAC地址和BSSID都匹配的条目,如果有,则将该条目的授权状态修改为已授权,并保存相应的IP地址;根据所述终端授权状态表,判断是否有与所述合法终端的MAC地址匹配,与所述合法终端的BSSID不匹配的条目,如果有,则将该条目的授权状态修改为禁止;The second establishment module 83 is specifically used to: according to the terminal authorization state table, judge whether there is an entry matching the MAC address and the BSSID of the legal terminal, and if so, modify the authorization state of the entry to already authorize, and save the corresponding IP address; according to the terminal authorization state table, judge whether there is an entry matching with the MAC address of the legal terminal, and an entry that does not match the BSSID of the legal terminal, if there is, then the entry of the entry The authorization status is changed to prohibited;

处理模块84用于根据所述绑定关系转发所述合法终端发送的数据帧,丢弃假冒终端发送的数据帧。The processing module 84 is configured to forward the data frames sent by the legitimate terminal according to the binding relationship, and discard the data frames sent by the counterfeit terminal.

处理模块84具体用于:根据所述终端授权状态表,判断是否有与所述合法终端的MAC地址与BSSID都匹配的条目,如果有,则判断所述合法终端的报文中的源IP地址与该条目中的IP地址是否匹配;如果IP地址匹配,则判断该条目中的授权状态;在判断所述授权状态为已授权时,则转发所述报文,在判断所述授权状态为禁止时,则丢弃所述报文,在判断所述授权状态为限制时,进一步判断所述报文中的目的IP是否在允许的地址范围内,如果在允许的地址范围内,则转发所述报文,如果不在允许的地址范围内,则丢弃所述报文。The processing module 84 is specifically used for: judging whether there is an entry matching both the MAC address and the BSSID of the legal terminal according to the terminal authorization state table, and if so, judging the source IP address in the message of the legal terminal Whether it matches with the IP address in the entry; if the IP address matches, then judge the authorization status in the entry; when judging that the authorization status is authorized, then forward the message, and when judging that the authorization status is prohibited , then discard the message, and when it is judged that the authorization status is limited, further judge whether the destination IP in the message is within the allowed address range, and if it is within the allowed address range, then forward the message If the address is not within the allowed address range, the message is discarded.

也就是说,当合法终端通过Web认证后,处理模块84将其IP/MAC地址与其连接的VAP绑定在一起。这样,合法终端发出的帧中包含的BSSID与绑定的VAP的BSSID相同,被允许通过;而假冒终端发送的帧,由于其包含的BSSID与绑定的VAP的BSSID不一致,会被AP丢弃,从而起到了防止假冒终端的作用。That is to say, after the legal terminal passes the Web authentication, the processing module 84 binds its IP/MAC address with the VAP it is connected to. In this way, the BSSID contained in the frame sent by the legitimate terminal is the same as the BSSID of the bound VAP, and is allowed to pass through; while the frame sent by the fake terminal, because the BSSID contained in it is inconsistent with the BSSID of the bound VAP, will be discarded by the AP. Thereby played a role in preventing counterfeit terminal.

此外,本发明实施例的技术方案还可以包括:断开连接处理模块,用于在所述终端断开连接时,根据所述终端授权状态表,检查是否有与所述终端匹配的MAC地址和BSSID的条目存在,如果存在所述条目,则检查所述条目的授权状态是否为已授权;如果所述条目的授权状态为已授权,则延迟断开连接,并设置一个预定时间,如果所述条目的授权状态不是已授权,则立即断开连接;在所述预定时间到时后,检查所述终端是否仍然在线,如果在线,则保持连接,否则,断开连接。In addition, the technical solution of the embodiment of the present invention may further include: a disconnection processing module, configured to check whether there is a MAC address and The entry of BSSID exists, if the entry exists, check whether the authorization status of the entry is authorized; if the authorization status of the entry is authorized, then delay disconnection, and set a predetermined time, if the If the authorization status of the entry is not authorized, then disconnect immediately; after the predetermined time expires, check whether the terminal is still online, if online, keep the connection, otherwise, disconnect.

需要说明的是,在实际应用中,第一建立模块80、第二建立模块83、以及处理模块84中的另一些功能表现成一系列钩子函数,包括:认证结束钩子函数、WLAN-EAH转发钩子函数、ETH-WLAN转发钩子函数、连接建立钩子函数、以及连接断开钩子函数。上述钩子函数被其它各模块在适当时候调用。具体的调用时机和调用处理流程可以参照上述方法实施例的图3至图7进行理解,在此不再赘述。It should be noted that, in practical applications, other functions in the first building module 80, the second building module 83, and the processing module 84 are represented as a series of hook functions, including: authentication end hook function, WLAN-EAH forwarding hook function , ETH-WLAN forwarding hook function, connection establishment hook function, and connection disconnection hook function. The above-mentioned hook function is called by other modules when appropriate. The specific invocation timing and invocation processing flow can be understood with reference to FIG. 3 to FIG. 7 of the above method embodiment, and will not be repeated here.

需要说明的是,由于BSSID是802.11帧中才包含的,而以太帧中没有。为了能在有线侧也能区分是从哪个终端的报文,可以在转发报文时,采取将不同的BSSID映射成不同的VID,或者MAC地址转换、IP地址转换等方法。It should be noted that the BSSID is only included in the 802.11 frame, but not in the Ethernet frame. In order to be able to distinguish which terminal the message is from on the wired side, methods such as mapping different BSSIDs to different VIDs, or converting MAC addresses and IP addresses can be adopted when forwarding messages.

本发明实施例的技术方案可以只建立一个VAP,而防假冒模块中只保留连接建立和连接断开钩子函数。这种简化方案的缺点是,它认为先连接上的就是合法终端,后连接的就是假冒终端,而实际上可能出现相反的情况,如果出现了,就会错误地拒绝合法终端的连接,所以不推荐采用上述技术方案。In the technical solution of the embodiment of the present invention, only one VAP can be established, and only the connection establishment and connection disconnection hook functions are reserved in the anti-counterfeiting module. The shortcoming of this simplified scheme is that it thinks that the terminal connected first is a legal terminal, and the terminal connected later is a fake terminal, but in fact the opposite situation may occur. It is recommended to adopt the above technical solutions.

本发明实施例通过建立VAP,将合法终端的IP+MAC绑定VAP,解决了现有技术在无线接入网中在空中传送的报文不加密的情况下无法防止假冒用户的问题,能够实现在802.11无线接入网中防止假冒用户的目的,保护了合法用户和运营商的利益。The embodiment of the present invention establishes a VAP and binds the IP+MAC of the legal terminal to the VAP, which solves the problem in the prior art that it is impossible to prevent counterfeit users when the messages transmitted over the air in the wireless access network are not encrypted, and can realize In the 802.11 wireless access network, the purpose of preventing counterfeit users is to protect the interests of legitimate users and operators.

尽管为示例目的,已经公开了本发明的优选实施例,本领域的技术人员将意识到各种改进、增加和取代也是可能的,因此,本发明的范围应当不限于上述实施例。Although preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, and therefore, the scope of the present invention should not be limited to the above-described embodiments.

Claims (8)

1. prevent a method for fake user in wireless access network, it is characterized in that, comprising:
Set up one or more virtual access point, wherein, described virtual access point has basic service set identification BSSID corresponding thereto;
Described terminal is connected to a virtual access point by the MAC Address according to terminal, and carries out certification to described terminal;
For the legal terminal by certification, the BSSID of the virtual access point MAC Address of described legal terminal be connected with described legal terminal binds, and determines the binding relationship of described legal terminal and described virtual access point;
Forward the Frame of described legal terminal transmission according to described binding relationship, abandon the Frame that personation terminal sends;
Wherein, described terminal is connected to a virtual access point and comprises by the described MAC Address according to terminal:
When described terminal needs to be connected to virtual access point, judge whether that the terminal identical with the MAC Address of described terminal is connected to this virtual access point according to the MAC Address of described terminal;
When judging that the terminal identical with the MAC Address of described terminal is not connected to this virtual access point, described terminal is connected to this virtual access point;
When judging that this virtual access point exists the terminal identical with the MAC Address of described terminal, described terminal is connected to this virtual access point by refusal, and described terminal is connected on other virtual access point that terminal identical with the MAC Address of described terminal does not connect.
2. the method for claim 1, is characterized in that, described method also comprises:
Set up an authorization terminal state table, wherein, described authorization terminal state table comprises: IP address, MAC Address, BSSID and licensing status, and described licensing status comprises: limited, authorize and forbid.
3. method as claimed in claim 2, it is characterized in that, when described terminal disconnects, described method also comprises:
According to described authorization terminal state table, check whether that the entry of MAC Address and the BSSID mated with described terminal exists, if there is described entry, then check whether the licensing status of described entry is authorize;
If the licensing status of described entry is for authorize, then postpones to disconnect, and a scheduled time is set, if the licensing status of described entry is not authorized, then disconnect immediately;
The described scheduled time then after, check that described terminal is whether still online, if online, then keep connecting, otherwise, disconnect.
4. method as claimed in claim 2, it is characterized in that, described for the legal terminal by certification, the BSSID of the virtual access point described legal terminal MAC Address be connected with described legal terminal carries out binding and comprises:
According to described authorization terminal state table, judge whether and the entry that the MAC Address of described legal terminal and BSSID are all mated, if had, then the licensing status of this entry is revised as and authorizes, and preserve corresponding IP address;
According to described authorization terminal state table, judge whether to mate with the MAC Address of described legal terminal, entry unmatched with the BSSID of described legal terminal, if had, then the licensing status of this entry is revised as and forbids.
5. method as claimed in claim 2, is characterized in that, the described Frame forwarding the transmission of described legal terminal according to described binding relationship, and the Frame abandoning the transmission of personation terminal comprises:
According to described authorization terminal state table, judge whether and the entry that the MAC Address of described legal terminal is all mated with BSSID, if had, then judge whether the source IP address in the message of described legal terminal mates with the IP address in this entry;
If IP matching addresses, then judge the licensing status in this entry;
When judging described licensing status as authorizing, then forward described message, when judging described licensing status as forbidding, then abandon described message, judging that described licensing status is as by limited time, judge object IP in described message further whether in the address realm of permission, if in the address realm allowed, then forward described message, if not in the address realm allowed, then abandon described message.
6. an access point, is characterized in that, comprising:
First sets up module, and for setting up one or more virtual access point, wherein, described virtual access point has basic service set identification BSSID corresponding thereto;
Link block, is connected to a virtual access point for the MAC Address according to terminal by described terminal;
Authentication module, for carrying out certification to described terminal;
Second sets up module, and for for the legal terminal by certification, the BSSID of the virtual access point MAC Address of described legal terminal be connected with described legal terminal binds, and determines the binding relationship of described legal terminal and described virtual access point;
Processing module, for forwarding the Frame that described legal terminal sends according to described binding relationship, abandons the Frame that personation terminal sends;
Wherein, described link block specifically comprises:
First judges submodule, for when described terminal needs to be connected to virtual access point, judges whether that the terminal identical with the MAC Address of described terminal is connected to this virtual access point according to the MAC Address of described terminal;
Access submodule, for when described first judges that submodule judges that the terminal identical with the MAC Address of described terminal is not connected to this virtual access point, described terminal is connected to this virtual access point when described first judges that submodule judges that this virtual access point exists the terminal identical with the MAC Address of described terminal, described terminal is connected to this virtual access point by refusal, and described terminal is connected on other virtual access point that terminal identical with the MAC Address of described terminal does not connect.
7. access point as claimed in claim 6, it is characterized in that, described access point also comprises:
Module set up by state table, and for setting up an authorization terminal state table, wherein, described authorization terminal state table comprises: IP address, MAC Address, BSSID and licensing status, and described licensing status comprises: limited, authorize and forbid;
Disconnect processing module, for when described terminal disconnects, according to described authorization terminal state table, check whether that the entry of MAC Address and the BSSID mated with described terminal exists, if there is described entry, then check whether the licensing status of described entry is authorize; If the licensing status of described entry is for authorize, then postpones to disconnect, and a scheduled time is set, if the licensing status of described entry is not authorized, then disconnect immediately; The described scheduled time then after, check that described terminal is whether still online, if online, then keep connecting, otherwise, disconnect.
8. access point as claimed in claim 7, is characterized in that,
Described second set up module specifically for: according to described authorization terminal state table, judge whether and the entry that the MAC Address of described legal terminal and BSSID are all mated, if had, then the licensing status of this entry is revised as and authorizes, and preserve corresponding IP address; According to described authorization terminal state table, judge whether to mate with the MAC Address of described legal terminal, entry unmatched with the BSSID of described legal terminal, if had, then the licensing status of this entry is revised as and forbids;
Described processing module specifically for: according to described authorization terminal state table, judge whether and the entry that the MAC Address of described legal terminal is all mated with BSSID, if had, then judge whether the source IP address in the message of described legal terminal mates with the IP address in this entry; If IP matching addresses, then judge the licensing status in this entry; When judging described licensing status as authorizing, then forward described message, when judging described licensing status as forbidding, then abandon described message, judging that described licensing status is as by limited time, judge object IP in described message further whether in the address realm of permission, if in the address realm allowed, then forward described message, if not in the address realm allowed, then abandon described message.
CN201010553071.6A 2010-11-22 2010-11-22 Method for preventing fake user in wireless access network and access point Active CN102480729B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010553071.6A CN102480729B (en) 2010-11-22 2010-11-22 Method for preventing fake user in wireless access network and access point
PCT/CN2011/072402 WO2012068815A1 (en) 2010-11-22 2011-04-02 Method for preventing impostors in wireless access network, and access point

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010553071.6A CN102480729B (en) 2010-11-22 2010-11-22 Method for preventing fake user in wireless access network and access point

Publications (2)

Publication Number Publication Date
CN102480729A CN102480729A (en) 2012-05-30
CN102480729B true CN102480729B (en) 2015-11-25

Family

ID=46093176

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010553071.6A Active CN102480729B (en) 2010-11-22 2010-11-22 Method for preventing fake user in wireless access network and access point

Country Status (2)

Country Link
CN (1) CN102480729B (en)
WO (1) WO2012068815A1 (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200569B (en) * 2013-03-18 2015-08-05 京信通信系统(中国)有限公司 A kind of data packet sending method and device
CN104349322B (en) * 2013-08-01 2018-06-12 新华三技术有限公司 A kind of device and method that personator is detected in Wireless LAN
CN104837134B (en) * 2014-02-07 2018-06-26 中国移动通信集团北京有限公司 A kind of web authentication user login method, equipment and system
CN104270755A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Equipment capable of preventing wireless intrusion
CN104540135B (en) * 2015-01-12 2019-08-30 努比亚技术有限公司 A kind of wireless network safety access method, device and terminal
CN104539741B (en) * 2015-01-26 2019-10-15 北京奇艺世纪科技有限公司 A kind of reminding method and device of Account Logon
JP2018511282A (en) * 2015-03-27 2018-04-19 ユーネット セキュア インコーポレイテッド WIPS sensor and terminal blocking method using the same
CN104837138B (en) * 2015-03-27 2019-03-01 Oppo广东移动通信有限公司 A kind of detection method and device of terminal hardware mark
KR101917655B1 (en) * 2015-04-13 2018-11-12 삼성전자주식회사 A display apparatus and a display apparatus setting method
CN104954370B (en) * 2015-06-09 2018-04-17 福建新大陆通信科技股份有限公司 The safety certifying method that a kind of smart home client is logined
CN104936181B (en) * 2015-06-25 2018-12-25 新华三技术有限公司 A kind of access authentication method and device connecting specified AP
CN105208324B (en) * 2015-08-20 2018-11-13 浙江宇视科技有限公司 A kind of method that mobile monitor platform finds front monitoring front-end automatically
CN107241775B (en) * 2016-03-28 2020-08-07 华为技术有限公司 Wireless local area network beacon sending method and device
CN107291773B (en) * 2016-04-11 2020-11-17 创新先进技术有限公司 Webpage address generation method and device
TWI619403B (en) * 2016-07-18 2018-03-21 智易科技股份有限公司 Mobile area network management system, method and computer readable storage device
CN106658756B (en) * 2016-12-13 2020-05-26 浙江大华技术股份有限公司 Method and device for identifying connection between terminal equipment and hotspot
CN107276901A (en) * 2017-05-27 2017-10-20 上海斐讯数据通信技术有限公司 The system and method and wireless router and terminal of integration application
CN108934009B (en) * 2017-05-27 2021-08-13 华为技术有限公司 A WiFi network access method, device and system
CN107197456B (en) * 2017-06-16 2020-06-02 中国海洋大学 Detection method and detection device for identifying pseudo AP (access point) based on client
CN109981661B (en) * 2019-03-29 2022-04-22 新华三技术有限公司 Method and device for monitoring MAC address and electronic equipment
CN113556337A (en) * 2021-07-20 2021-10-26 迈普通信技术股份有限公司 Terminal address identification method, network system, electronic device and storage medium
CN119136337A (en) * 2023-06-13 2024-12-13 华为技术有限公司 Device connection method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6950628B1 (en) * 2002-08-02 2005-09-27 Cisco Technology, Inc. Method for grouping 802.11 stations into authorized service sets to differentiate network access and services
US20060068799A1 (en) * 2004-09-27 2006-03-30 T-Mobile, Usa, Inc. Open-host wireless access system
US7339915B2 (en) * 2005-10-11 2008-03-04 Cisco Technology, Inc. Virtual LAN override in a multiple BSSID mode of operation
US7974249B2 (en) * 2006-03-01 2011-07-05 Dell Products L.P. Virtual access point for configuration of a LAN
JP2007295521A (en) * 2006-03-29 2007-11-08 Namco Bandai Games Inc Wireless network system, wireless communication device, wireless communication device setting device, program, information storage medium, and portable electronic device

Also Published As

Publication number Publication date
WO2012068815A1 (en) 2012-05-31
CN102480729A (en) 2012-05-30

Similar Documents

Publication Publication Date Title
CN102480729B (en) Method for preventing fake user in wireless access network and access point
CN107251522B (en) Network token is used for the efficient strategy implement of Service controll face method
US7480933B2 (en) Method and apparatus for ensuring address information of a wireless terminal device in communications network
US7653200B2 (en) Accessing cellular networks from non-native local networks
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
AU2008213766B2 (en) Method and system for registering and verifying the identity of wireless networks and devices
JP5008395B2 (en) Flexible WLAN access point architecture that can accommodate different user equipment
KR101432042B1 (en) Confidential communication method using vpn, a system and program for the same, and memory media for program therefor
JP4687788B2 (en) Wireless access system and wireless access method
WO2008019615A1 (en) The method, device and system for access authenticating
JP2022043175A (en) Non-3gpp device access to core network
CN101651682A (en) Method, system and device of security certificate
WO2006002601A1 (en) A method for wireless lan users set-up session connection
CN112640387B (en) non-SI device, method, and computer readable and/or microprocessor executable medium for wireless connection
WO2013185709A1 (en) Call authentication method, device, and system
US20080126455A1 (en) Methods of protecting management frames exchanged between two wireless equipments, and of receiving and transmitting such frames, computer programs, and data media containing said computer programs
KR100819942B1 (en) Quarantine and Policy-based Access Control Method for Wired and Wireless Networks
CN101562526B (en) Method, system and equipment for data interaction
CN101765110A (en) Dedicated encryption protection method between user and wireless access point
JP4169534B2 (en) Mobile communication service system
CN116709338B (en) Wi-Fi access point capable of defending middleman MitM attack
WO2013062393A1 (en) Method and apparatus for supporting single sign-on in a mobile communication system
Horn et al. Securing network access in future mobile systems
WO2007008052A1 (en) Methods of protecting management frames exchanged between two wireless equipments, and of receiving and transmitting such frames, computer programs, and data media containing said computer programs

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant